17 Nov Your Email WILL Betray You

No matter what your email service is or what you think of their security, Yahoo shows that there is no customer loyalty when it comes to the NSA’s command.

I talk about security on my personal site a lot. There’s a whole page of different stuff to consider when you’re trying to keep your secrets secret. I talk about best practices for email (ProtonMail), for messenger apps (Telegram), for texting (Just Don’t Do It), and what things an average person might do to protect themselves in the long and short run.

But the truth of the matter is, if somebody wants to come for you, they will. As we just watched with this last year of election coverage, even the top echelons of federal government don’t understand even the basics of information security, or that all-important fact that nothing ever really goes away. In fact, most people are so shortsighted and uninformed about how email works that I’ve had to have variations of this conversation:

“Please don’t send me messages like this.”

“Oh, it’s ok. I’ll just delete it when we’re done.”

“Ok, but that just deletes messages in your account. That doesn’t make them go away in my inbox. Or in google’s cache.”

“Right but I’ll delete them. They’ll be gone.”

*disgusted sigh*

with many, many people, for years now.

There is no “deleting.” That isn’t real. Information doesn’t go away the way you think it does, and if you don’t want someone to read it, you can’t ever type it and send it.

My choice to move to ProtonMail as my email provider was based on the idea that I’m going to do the best I possibly can to make sure my personal information stays personal. I know that if somebody really wants to hack me, they’re going to. But I can do my best to make it very difficult for them. And I think I have a duty to protect my information, especially as it relates to clients and friends. It’s why I don’t keep an address book or save contacts, and why I don’t want to text or talk on the phone with you.

What happened?

This week, it was revealed that as a result of a secret US government directive, Yahoo was forced to implement special surveillance software to scan all Yahoo Mail accounts at the request of the NSA and FBI. Sometime in early 2015, Yahoo secretly modified their spam and malware filters to scan all incoming email messages for the phrases in the court order and then siphoned those messages off to US intelligence. This is significant for several reasons:

• This is the first known incident where a US intelligence directive has indiscriminately targeted all accounts as opposed to just the accounts of suspects. Effectively, all 500 million+ Yahoo Mail users were presumed to be guilty.

• Because ALL incoming email messages were targeted, this program spied on every person who emailed a Yahoo Mail account, violating the privacy of users around the world who may not even have been using a US email service.

What does this mean for US tech companies?

This is a terrible precedent and ushers in a new era of global mass surveillance. It means that US tech companies that serve billions of users around the world can now be forced to act as extensions of the US surveillance apparatus. The problem extends well beyond Yahoo. As was reported earlier, Yahoo did not fight the secret directive because Yahoo CEO Marissa Mayer and the Yahoo legal team did not believe that they could successfully resist the directive.

We believe that Yahoo’s assessment is correct. If it was possible to fight the directive, Yahoo certainly would have done so since they previously fought against secret FISA court orders in 2008. It does not make sense that US surveillance agencies would serve Yahoo Mail with such an order but ignore Gmail, the world’s largest email provider, or Outlook. There is no doubt that the secret surveillance software is also present in Gmail and Outlook, or at least there is nothing preventing Gmail and Outlook from being forced to comply with a similar directive in the future. From a legal perspective, there is nothing that makes Yahoo particularly vulnerable, or Google particularly invulnerable.

Google and Microsoft have come out to deny they participated in US government mandated mass surveillance, but under a National Security Letter (NSL) gag order, Google and Microsoft would have no choice but to deny the allegations or risk breaking US law (our analysis of Yahoo’s denial is at the bottom of this post). Again ,there is no conceivable reason US intelligence would target Yahoo but ignore Gmail, so we must consider this to be the most probable scenario, particularly since gag orders have become the norm rather than the exception.

In effect, the US government has now officially co-opted US tech companies to perform mass surveillance on all users, regardless of whether they are under US jurisdiction or not. Given the huge amount of data that Google has, this is a truly scary proposition.

How does this impact ProtonMail?

ProtonMail’s secure email service is based in Switzerland and all our servers are located in Switzerland, so all user data is maintained under the protection of Swiss privacy laws. ProtonMail cannot be compelled to perform mass surveillance on our users, nor be compelled to act on behalf of US intelligence. ProtonMail also utilizes end-to-end encryption which means we do not have the capability to read user emails in the first place, so we couldn’t hand over user email data even if we wanted to.

However, since email is an open system, any unencrypted email that goes out of ProtonMail, to Yahoo Mail for example, could potentially have been swept up by these mass surveillance programs and sent to US government agencies. This is why if you want to avoid having your communications scanned and saved by US government agencies, it is important to invite friends, family, and colleagues to use non-US email accounts such as ProtonMail or other email services offered by European companies.

What can the rest of the world do about this?

Unfortunately, the tech sector today is entirely dominated by US companies. Just like Google has a monopoly on search, the US government has a near monopoly on mass surveillance. Even without US government pressure, most US tech companies also have perverse economic incentives to slowly chip away at digital privacy.

This week, we have again seen how easily the massive amounts of private data retained by US tech companies can be abused by US intelligence for their own purposes. Without alternatives to the US tech giants, the rest of the world has no choice but to consent to this. This is an unprecedented challenge, but it also presents an unprecedented opportunity, particularly for Europe.

Now is the time for Europe to invest in its own tech sector, unbeholden to outside interests. This is the only way the European community can continue to safeguard the European ideals of privacy, liberty, and freedom online. It is time for European governments and citizens to act before it is too late.

The only chance for privacy to prevail against these attacks is for the global community to support a new generation of web services which protect privacy by default. These services, such as ProtonMail’s encrypted email service, must operate with a business model where users can donate or pay for services, instead of giving up data and privacy. The security community also has an obligation to make these new service just as easy to use as the ones they replace.

Services such as secure email, search, and cloud storage are now vital to our lives. Their importance means that for the good of all citizens, we need to develop private alternatives that are aligned with users, and free from corporate greed and government overreach. Crowdfunded services like ProtonMail are rising to the challenge, but we need more support from the global community to successfully take on better funded US tech giants. Privacy matters, and your support is essential to ensure the Internet of the future is one that protects our rights.

I encourage you to go to ProtonMail’s blog and read their analysis of the Yahoo statement, for further information about the pressure they have been under as a company, and why other sites are likely under a gag order about their own participation.

I also strongly, STRONGLY encourage you to sign up for a ProtonMail account (it’s fast and free and works like every other email you’ve ever used) and use only that for emailing me, or anyone you don’t want your boss/mother/wife or the FBI/DHS/NSA to know about.

There have been countless occasions where I am unable to respond to someone who is clearly using their corporate/employee email account, simply because I do not want to be associated with them when their IT department decides to see what they’ve been up to.

Like I said, you’re never going to seal all the cracks. Even .gov addresses are hacked and released on Wikileaks. But you can do better than what you’re doing right now.

[…] the first thing you should do, is take all those conversations out of your standard email inbox and over to something more secure. It’s not foolproof, but it could save you a lot of trouble down the […]